How this class of vulnerabilities will impact millions connected devices and potentially wreck the day of IT security professionals.
Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK.
Devices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.
Nine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity.
“The widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” researchers wrote in a report released Tuesday (PDF). “[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.”
Breaking Down the NAME:WRECK Bugs
Under the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are URGENT/11, Ripple20, Amnesia:33 and NUMBER:JACK (also discovered by Project Memoria and Forescout).
Forescout and JSOF researchers divide the nine NAME:WRECK vulnerabilities into four subcategories of devices dependent on the DNS and TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET and NetX – each common in IoT and operational technology (OT) systems.
Researchers said the origin of the name NAME:WRECK is based on “how the parsing of domain names can break – ‘wreck’ – DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.”
NAME:WRECK is similar to previous TCP/IP-DNS bugs that illustrate the complexity of the DNS protocol “that tends to yield vulnerable implementations,” where bugs can often be leveraged by external attackers to take control of millions of devices simultaneously, researchers said.
Unpacking a DNS Compression Bug
One of the class of NAME:WRECK bugs are identified as DNS compression issues, impacting a wide range of devices that compress data used to communicate over the internet using TCP/IP.
“With the first vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device’s memory, where they will then inject the code,” researchers wrote.
“The second vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,” they wrote.
The technical specifics are complicated, but boil down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels “terminated by the NULL byte (0x00).” This process of encoding and compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.
“By carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer ‘dst,’ potentially achieving remote code-execution,” researchers wrote.
As for the attack vector, researchers said, “The easiest way to construct a payload that will overflow name and overwrite heap metadata is to chain multiple domain labels.”
Researchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities and a VDomain name label-parsing bugs.
The Nine NAME:WRECK Bugs
The following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted: CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7); CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8); CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1); CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1); CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5); CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5); CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5); CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3); And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).
How Can Users Mitigate NAME:WRECK Bugs?
Researchers are recommending that users and IT security staff discover and inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.
Researchers also recommended the implementation of device and network-segmentation controls and restricting external communication to vulnerable devices until they are patched or removed from the network; and of course, users should patch devices as fixes become available.
Beyond that, users should configure vulnerable devices to run on internal DNS servers, and monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS and DHCP clients.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.